STIX 2.0 Finish Line

After over a year of dedicated effort and years of building the foundation, the OASIS Cyber Threat Intelligence Technical Committee (CTI TC) voted in March 2017 to approve STIX 2.0 as a Committee Specification Draft and commence a 30-day public review, which ended April 6. Speaking as a co-chair of the STIX subcommittee in the CTI TC, this is a big deal.

Before exploring what this means, let's jump back a bit. STIX (Structured Threat Information eXpression) was originally conceived as a language to describe cyber threat intelligence. This was groundbreaking at the time because it was the first language to provide a definition of cyber threat intelligence. Although it’s a bit of a fuzzy term, cyber threat intelligence generally describes information about adversaries and their behaviors that can inform defensive actions. For example, knowing that a certain adversary targets financial institutions by using specially crafted spear-phishing emails, and then delivers Trojans that will reach out to a certain set of websites that are known to be malicious, can be very helpful in defending against the attack. STIX captures that type of intelligence in a machine-readable form so that it can be shared among organizations and tools.

The DHS Office of Cybersecurity and Communications funded MITRE, beginning in 2012, to act as the technical developer of STIX and serve as a community facilitator to jumpstart STIX. Once some level of maturity was reached, STIX would be transitioned to an international standards body. That goal was realized in 2015 when governance of STIX was transitioned to OASIS, an international standards consortium. This was a big step for STIX and a big success for DHS, MITRE, and the community because it meant that STIX was on its way to becoming an international standard. Although DHS and MITRE continue to serve in several leadership positions in the CTI TC, the majority of the leadership and the vast majority of participants in the TC are from industry. In fact, the OASIS CTI TC was founded with more participants than any other TC in OASIS history. It's that community that led the development of STIX 2.0.

STIX 2.0 builds on the working foundation built by STIX 1.x, but with a few key distinctions:

* Most visibly, while STIX 1.x used XML as an exchange format, STIX 2.0 uses JSON. This matches common practice in development today and should result in rapid adoption.

* While STIX 1.x focused on flexibility, STIX 2.0 stresses simplicity and standardization. There are fewer options and more requirements. This makes it easier to implement, which is a requirement for broad industry adoption.

* STIX 2.0 is a graph-based model, where STIX Domain Objects, representing concepts in the cyber domain, are related to each other using STIX Relationship Objects. STIX 1.x also contained connections, but by making it explicit, STIX 2.0 allows analysts and defenders to easily draw connections between seemingly unrelated data, follow chains from indicators of compromise to the adversaries behind the compromise, and build out those connections over time.

Standards work tends to be slow and deliberative, but the CTI TC set an aggressive goal to have something done within a year after chartering the TC. That meant that everyone in the community had to make tough compromises to reach a hard-fought consensus. It meant forging new ground with OASIS and doing our development on Google Docs, Github, and Slack rather than email lists and Word documents. It meant participants from New Zealand and Tokyo somehow waking up and dialing in to working meetings held at 2 AM their time. It meant 4-hour editorial sessions to make sure that the language was as good as it could be. Though it took longer than a year, the result of all that work is the approval of STIX 2.0 as a Committee Specification Draft by the TC.

By approving the Committee Specification Draft and opening the public review period, the CTI TC agrees that what we’ve done so far is worth continuing.

We realize, of course, that 2.0 is not the finish line for STIX itself. While 2.0 is a big step forward toward an industry standard, there's still work to do. The community has already started on STIX 2.1, which will address some areas that were deferred in order to build out the basic framework. For example, the community will tackle incident response features like an incident and event object, more in-depth modeling of malware and infrastructure, and feedback mechanisms such as opinions and intel notes. It's likely that the deadline will be just as aggressive and the community will again need to step up to get it done.

Also, as I write this, others in the TC are still hard at work on finishing TAXII 2.0. TAXII is a high-level protocol for moving cyber threat intelligence (primarily STIX) data around between systems and tools. We expect that, within the coming months, TAXII will be achieving this same milestone and opening its own public review period.

If you're interested in learning more about STIX 2.0 or TAXII 2.0, the documentation page is the best place to start.

About John Wunder

John Wunder is a principal cybersecurity engineer at MITRE who gradually came to cybersecurity from the software development world over the past 10 years. John has been working on STIX since the early days of STIX 1.0 and is currently a co-chair of the STIX Subcommittee in the OASIS Cyber Threat Intelligence Technical Committee. He believes that cybersecurity information sharing can improve security for everyone, and works across MITRE’s sponsors to make it easier, faster, and more effective. John Wunder can be contacted here.

Learn More from our Cyber Bloggers!

Enjoy hearing about the latest cyber trends and strategies? MITRE's Cyber Connections & Directions collection keeps you up to date on big-picture trends and strategies. We invite you to sort by topic or view the entire collection.

MITRE intends to maintain a website that is fully accessible to all individuals. If you are unable to search or apply for jobs and would like to request a reasonable accommodation for any part of MITRE’s employment process, please contact MITRE’s Recruiting Help Line at 703-983-8226 or email at recruitinghelp@mitre.org